×××配置实例_04：思科路由器IPSEC_OVER_TUNNEL

一，Site1路由器IPsec tunnel配置：

crypto isakmp policy 10    //定义第一阶段安全策略
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 61.128.1.1    //定义两端的密码，cisco为密码。
!
!
crypto ipsec transform-set cisco esp-des
mode transport
!
crypto ipsec profile To_site2_ipsec    //定义第二阶感安全策略
set transform-set cisco
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
tunnel source 202.100.1.1
tunnel destination 61.128.1.1
tunnel protection ipsec profile To_site2_ipsec     //安全策略应用到TUNNEL接口。TUNNEL定义了感兴趣流。
!
interface FastEthernet0/0
ip address 202.100.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet3/0
no ip address
shutdown
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 1.1.1.0 0.0.0.255 area 0
network 172.16.1.0 0.0.0.255 area 0
!
no ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 202.100.1.10
!
!
control-plane
!

!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end

Site1#

二，Site2 IPSEC 配置：

!
crypto isakmp policy 10    //定义第一阶段ISAKMP策略
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.1.1
!
!
crypto ipsec transform-set cisco esp-des
mode transport
!
crypto map cisco 10 ipsec-isakmp    //定义第二阶段IPSEC安全策略。
set peer 202.100.1.1
set transform-set cisco
match address ***
!
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface Tunnel0
ip address 172.16.1.2 255.255.255.0
tunnel source FastEthernet1/0
tunnel destination 202.100.1.1
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 61.128.1.1 255.255.255.0
duplex auto
speed auto
crypto map cisco    //定义好的cisco应用到接口。
!
interface FastEthernet2/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet3/0
no ip address
shutdown
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 2.2.2.0 0.0.0.255 area 0
network 172.16.1.0 0.0.0.255 area 0
!
no ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 61.128.1.10
!
!
!
ip access-list extended ***
permit gre host 61.128.1.1 host 202.100.1.1 //定义感兴趣流
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end

Site2#

三，××× 测试：

Site1#ping 2.2.2.2 so 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/56/96 ms
Site1#

四，×××状态查看：

1，Site1：

Site1#show crypto engi connec ac

  ID Interface            IP-Address      State  Algorithm           Encrypt  Decrypt
   1 Tunnel0              172.16.1.1      set    HMAC_MD5+3DES_56_C        0        0
2001 Tunnel0              202.100.1.1     set    DES                     234        0
2002 Tunnel0              202.100.1.1     set    DES                       0      233

Site1#show crypto isakmp sa
dst src state conn-id slot status
61.128.1.1 202.100.1.1 QM_IDLE 1 0 ACTIVE

Site1#show crypto ipsec sa

interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 202.100.1.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (202.100.1.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (61.128.1.1/255.255.255.255/47/0)
   current_peer 61.128.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 236, #pkts encrypt: 236, #pkts digest: 236
    #pkts decaps: 235, #pkts decrypt: 235, #pkts verify: 235
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 202.100.1.1, remote crypto endpt.: 61.128.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x698BB99(110672793)

     inbound esp sas:
      spi: 0x911DD429(2434651177)
        transform: esp-des ,
        in use settings ={Transport, }
        conn id: 2002, flow_id: SW:2, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4428651/1493)
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE

inbound ah sas:

inbound pcp sas:

     outbound esp sas:
      spi: 0x698BB99(110672793)
        transform: esp-des ,
        in use settings ={Transport, }
        conn id: 2001, flow_id: SW:1, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4428650/1490)
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE

outbound ah sas:

outbound pcp sas:
Site1#

2，Site2：

Site2#show crypto engi connec ac

  ID Interface            IP-Address      State  Algorithm           Encrypt  Decrypt
   1 FastEthernet1/0      61.128.1.1      set    HMAC_MD5+3DES_56_C        0        0
2001 FastEthernet1/0      61.128.1.1      set    DES                     242        0
2002 FastEthernet1/0      61.128.1.1      set    DES                       0      243

Site2#show crypto isakmp sa
dst src state conn-id slot status
61.128.1.1 202.100.1.1 QM_IDLE 1 0 ACTIVE

Site2#show crypto ipsec sa

interface: FastEthernet1/0
Crypto map tag: cisco, local addr 61.128.1.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (61.128.1.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (202.100.1.1/255.255.255.255/47/0)
   current_peer 202.100.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 414, #pkts encrypt: 414, #pkts digest: 414
    #pkts decaps: 415, #pkts decrypt: 415, #pkts verify: 415
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 16, #recv errors 0

     local crypto endpt.: 61.128.1.1, remote crypto endpt.: 202.100.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
     current outbound spi: 0x911DD429(2434651177)

     inbound esp sas:
      spi: 0x698BB99(110672793)
        transform: esp-des ,
        in use settings ={Transport, }
        conn id: 2002, flow_id: SW:2, crypto map: cisco
        sa timing: remaining key lifetime (k/sec): (4472959/1405)
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE

inbound ah sas:

inbound pcp sas:

     outbound esp sas:
      spi: 0x911DD429(2434651177)
        transform: esp-des ,
        in use settings ={Transport, }
        conn id: 2001, flow_id: SW:1, crypto map: cisco
        sa timing: remaining key lifetime (k/sec): (4472960/1404)
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE

outbound ah sas:

outbound pcp sas:
Site2#

转载于:https://blog.51cto.com/ccie18405/1214608

×××配置实例_04：思科路由器IPSEC_OVER_TUNNEL

相关推荐